Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2838 Discussions

What is AMTCertHash in StartConfigurationHBased?

jic5760
New Contributor I
‎02-01-2024 07:51 PM
941 Views

Hello,

 

First question,

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2FcfgstartconfigurationHBased.htm

I would like to know which certificate's hash is AMTCertHash in the above manual.

 

I got the hash via CFG_StartConfigurationHBased command, but couldn't find any matching certificate.

 

 

 

 

> StartConfigurationHBased
status :  AMT_STATUS_SUCCESS
HashAlgorithm :  2
AMTCertHash :  3ea11c5c917c8d48769363053eb12fef93b169c759fd738a873edd1084dd0d010000000000000000000000000000000000000000000000000000000000000000


> openssl s_client -showcerts -connect 127.0.0.1:16993 -tls1_2

CONNECTED(00000174)
Can't use SSL_get_servername
depth=3 CN = CSME TGL ROM CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 CN = CSME TGL SVN01 Kernel CA
verify return:1
depth=1 CN = CSME TGL AMT  01SVN
verify return:1
depth=0 CN = AMT RCFG
verify return:1
30390000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../openssl-3.1.4/ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
Certificate chain
 0 s:CN = AMT RCFG
   i:CN = CSME TGL AMT  01SVN
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul  5 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICbjCCAfSgAwIBAgIQQVGnbtvgHWQUu6c9cVMAOzAKBggqhkjOPQQDAzAeMRww
GgYDVQQDDBNDU01FIFRHTCBBTVQgIDAxU1ZOMB4XDTIwMDcwNTAwMDAwMFoXDTQ5
MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQU1UIFJDRkcwdjAQBgcqhkjOPQIBBgUr
gQQAIgNiAAQWUUQp55VAQw9n7X3eipr4P9kAQqXCRblrl1I8+tNMmufWun1C0JWa
Tv4PAxifyuCLe/VSy9xHi8odA7HyOk0Y13talLvXZMzaGkRo60PEH91o3XAeNsBG
7kNHUlca0z+jggEAMIH9MB8GA1UdIwQYMBaAFMmxad6yAFSj19raxT57YuYFyV89
MA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgWgMIGgBgNVHR8EgZgwgZUw
gZKgSqBIhkZodHRwczovL3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9j
cmxzL09uRGllX0NBX0NTTUVfSW5kaXJlY3QuY3JsokSkQjBAMSYwJAYDVQQLDB1P
bkRpZSBDQSBDU01FIEludGVybWVkaWF0ZSBDQTEWMBQGA1UEAwwNd3d3LmludGVs
LmNvbTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAwNoADBlAjEA
0qZ8QbRsidZhuaMIxltn9OJ8euH9SwgVk+Ktjwa3pIGxB9LkIaqTC37wH0kBGN1o
AjB/lD626SiumFp94eXv2d0F8dHs7KwhoDn15bDM2vU0hZAUHwv5lmuMfMDkKGmx
ujM=
-----END CERTIFICATE-----
 1 s:CN = CSME TGL AMT  01SVN
   i:CN = CSME TGL SVN01 Kernel CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jul  5 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICfDCCAgGgAwIBAgIFAQQdACAwCgYIKoZIzj0EAwMwIzEhMB8GA1UEAwwYQ1NN
RSBUR0wgU1ZOMDEgS2VybmVsIENBMB4XDTIwMDcwNTAwMDAwMFoXDTQ5MTIzMTIz
NTk1OVowHjEcMBoGA1UEAwwTQ1NNRSBUR0wgQU1UICAwMVNWTjB2MBAGByqGSM49
AgEGBSuBBAAiA2IABEV/Zb5f7lJuAprg80Hb/sYreRHkeJvPShTx+cZYQHdMvbdi
ujqZrPEZKVwwpPNa+Ko5F4VQo1EzVbibHysCZQjo4Xn/idX5pd9+NUPZCLO1nnpy
X99lOza7R1TzCiEffKOCAQgwggEEMB8GA1UdIwQYMBaAFHs/xhfS0XLl7zhV0t53
Fa8/fPR2MB0GA1UdDgQWBBTJsWnesgBUo9fa2sU+e2LmBclfPTAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwICBDCBoAYDVR0fBIGYMIGVMIGSoEqgSIZGaHR0
cHM6Ly90c2NpLmludGVsLmNvbS9jb250ZW50L09uRGllQ0EvY3Jscy9PbkRpZV9D
QV9DU01FX0luZGlyZWN0LmNybKJEpEIwQDEmMCQGA1UECwwdT25EaWUgQ0EgQ1NN
RSBJbnRlcm1lZGlhdGUgQ0ExFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wCgYIKoZI
zj0EAwMDaQAwZgIxAO8Ghy8Oc5reePXKWIt8WYRGZEw3X8hps3gV134HWTfwF7pG
H5jcrUaInRvt6aVNCwIxAJVFHkZS8egpu53n/UMzlXXnRBs9SlxfPhSdXuAHCKaD
gdpv3DpfJnoXBYWievVbkA==
-----END CERTIFICATE-----
 2 s:CN = CSME TGL SVN01 Kernel CA
   i:CN = CSME TGL ROM CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct  4 00:00:00 2020 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICcjCCAfmgAwIBAgIBATAKBggqhkjOPQQDAzAaMRgwFgYDVQQDDA9DU01FIFRH
TCBST00gQ0EwHhcNMjAxMDA0MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjAjMSEwHwYD
VQQDDBhDU01FIFRHTCBTVk4wMSBLZXJuZWwgQ0EwdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAASbDSUBdhrmowV1EaDSAgNMWsiOB+WI3DtRcEPaKYudiNr5KaNxtkmjQaU6
DESSnkHC4ODzivEPQPkJ/HDQhGocme2gNUPQGLracoPn1BXfUKBhP5L2mlJRPcvu
TNmJhkWjggEIMIIBBDAfBgNVHSMEGDAWgBQwk5q+4GqrKzhN2KP5niNt0wsinzAd
BgNVHQ4EFgQUez/GF9LRcuXvOFXS3ncVrz989HYwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAqwwgaAGA1UdHwSBmDCBlTCBkqBKoEiGRmh0dHBzOi8vdHNj
aS5pbnRlbC5jb20vY29udGVudC9PbkRpZUNBL2NybHMvT25EaWVfQ0FfQ1NNRV9J
bmRpcmVjdC5jcmyiRKRCMEAxJjAkBgNVBAsMHU9uRGllIENBIENTTUUgSW50ZXJt
ZWRpYXRlIENBMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMAoGCCqGSM49BAMDA2cA
MGQCMAcyo5kRq6miBsW2Ki8mZ+pBTQqd6+GGtl7Py/cbo4Tb7+X5sfwLQ0eMED9C
+D5J0gIwfOdDer04y3Y7extnsySPAd2mPxTDhU1qwp50xaU8VC4hwachY5wL2FQv
aYv7jOo8
-----END CERTIFICATE-----
 3 s:CN = CSME TGL ROM CA
   i:OU = On Die CSME P_TGL 00002004 Issuing CA, CN = www.intel.com
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: May  1 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2049 GMT
-----BEGIN CERTIFICATE-----
MIICvzCCAkagAwIBAgIQQiEkuraVUA3ZBAGpmk+PLDAKBggqhkjOPQQDAzBIMS4w
LAYDVQQLDCVPbiBEaWUgQ1NNRSBQX1RHTCAwMDAwMjAwNCBJc3N1aW5nIENBMRYw
FAYDVQQDDA13d3cuaW50ZWwuY29tMB4XDTE5MDUwMTAwMDAwMFoXDTQ5MTIzMTIz
NTk1OVowGjEYMBYGA1UEAwwPQ1NNRSBUR0wgUk9NIENBMHYwEAYHKoZIzj0CAQYF
K4EEACIDYgAEfTagXdiRew+x5bsr3TOHQyjw3t8xwwSID1HMKfXaMmIjKwBN0u0z
MfK7SqjDE/zrkuU5NqOtjLSXftJHQUw+SBPDIxGd2ZooUdHaQLaN4QPe7boiKECa
10kVfVbG4ssJo4IBITCCAR0wHwYDVR0jBBgwFoAUsGbZaX9dOge0JcEPWHzO7PFv
/lgwHQYDVR0OBBYEFDCTmr7gaqsrOE3Yo/meI23TCyKfMA8GA1UdEwEB/wQFMAMB
Af8wDgYDVR0PAQH/BAQDAgGuMGIGCCsGAQUFBwEBBFYwVDBSBggrBgEFBQcwAoZG
aHR0cHM6Ly90c2NpLmludGVsLmNvbS9jb250ZW50L09uRGllQ0EvY2VydHMvVEdM
XzAwMDAyMDA0X09uRGllX0NBLmNlcjBWBgNVHR8ETzBNMEugSaBHhkVodHRwczov
L3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9jcmxzL1RHTF8wMDAwMjAw
NF9PbkRpZV9DQS5jcmwwCgYIKoZIzj0EAwMDZwAwZAIwDpbRk7g5LOCO/UL8izy6
vskOMCyu4oX2YcgJ84Jtmt/YuFJo8/uVWpeyZXaAA4GqAjAPIgUjpqQtBjDDQEfy
yuwDZEs9fiFDjAE3eniZS9cgx4fI/cvm+Ei1QZoZT2AOL2Q=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = AMT RCFG
issuer=CN = CSME TGL AMT  01SVN
---

 

 

 

 

I don't know if it was intentional, but the public key for the `AMT RCFG` certificate is the same, but the signature is different every time, so the hash cannot be compared.

(AMT Version is 15.0.45)

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fsetupandconfigurationusingsecurehostbasedconfiguration.htm
If secure Host Based Provisioning is used, the agent invokes CFG_StartConfigurationHBased() to place the Intel AMT device into Setup Mode (see Intel AMT Device Modes) Mutual-TLS. The SCA TLS leaf certificate hash is provided by the agent as an input parameter. The Intel AMT device returns the hash of the AMT ODCA leaf certificate as an output parameter. The Agent sends the Intel AMT certificate hash to the management console which sends it to the SCA Server. Now both ends are configured with the required certificates for the Mutual TLS session.

There is the same content as above, but as sayed, the hash of the leaf certificate changes every time.

Changed certificate;

-----BEGIN CERTIFICATE-----
MIICbjCCAfSgAwIBAgIQQVGnbtvgHWQUu6c9cVMAOzAKBggqhkjOPQQDAzAeMRww
GgYDVQQDDBNDU01FIFRHTCBBTVQgIDAxU1ZOMB4XDTIwMDcwNTAwMDAwMFoXDTQ5
MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQU1UIFJDRkcwdjAQBgcqhkjOPQIBBgUr
gQQAIgNiAAQWUUQp55VAQw9n7X3eipr4P9kAQqXCRblrl1I8+tNMmufWun1C0JWa
Tv4PAxifyuCLe/VSy9xHi8odA7HyOk0Y13talLvXZMzaGkRo60PEH91o3XAeNsBG
7kNHUlca0z+jggEAMIH9MB8GA1UdIwQYMBaAFMmxad6yAFSj19raxT57YuYFyV89
MA8GA1UdEwEB/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgWgMIGgBgNVHR8EgZgwgZUw
gZKgSqBIhkZodHRwczovL3RzY2kuaW50ZWwuY29tL2NvbnRlbnQvT25EaWVDQS9j
cmxzL09uRGllX0NBX0NTTUVfSW5kaXJlY3QuY3JsokSkQjBAMSYwJAYDVQQLDB1P
bkRpZSBDQSBDU01FIEludGVybWVkaWF0ZSBDQTEWMBQGA1UEAwwNd3d3LmludGVs
LmNvbTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAKBggqhkjOPQQDAwNoADBlAjBy
Fb0ebmUccSdb7pMC8YYEyytUrftHqur6ZNZLcjLDHKnDML2q/pH9HnuZfCL7pEoC
MQDIDx+EEgM4VCZu3qSiDNNJh9hHu1pbi5leRP+HAd+6DKIjunEfwHZJeJtW6YWA
E4A=
-----END CERTIFICATE-----

Each time execute the `openssl s_client -showcerts -connect 127.0.0.1:16993 -tls1_2` command, the changed certificate is displayed.


The DER hash of the other certificates also does not match..

 

 

Second question,

 

https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fintelamtdevicemodes1.htm

Here it says that AdminSetup has been deprecated. so, I am trying CFG_StartConfigurationHBased.

After establishing an mTLS connection using CFG_StartConfigurationHBased, what Action is available for ACM Setup instead of AdminSetup?

0 Kudos

Link Copied

4 Replies
Victor_G_Intel
Employee
‎02-02-2024 11:58 AM
906 Views

Hello jic5760,

 

Thank you for posting on the Intel® communities.

 

Can you please confirm what management console are you currently using? Is it Intel EMA? We noticed that you are using a localhost as a FQDN.

 

Regards,

 

Victor G.

Intel Technical Support Technician 


0 Kudos
Copy link
jic5760
New Contributor I
‎02-02-2024 03:46 PM
893 Views
In response to Victor_G_Intel
Hello,

We are implementing it ourselves using the AMT SDK without EMA.
In response to Victor_G_Intel
0 Kudos
Copy link
MIGUEL_C_Intel
Employee
‎02-05-2024 02:19 PM
824 Views

Hello, jic5760,


Thank you for your explanation.  Please allow us time to review your questions.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Copy link
MIGUEL_C_Intel
Employee
‎02-07-2024 12:53 PM
750 Views

Hello, jic5760,


We noticed your question was moved to the Intel® Business Client Software Development forum. Thank you for your comprehension.  I am closing the forum.


Regards,

Miguel C.

Intel Customer Support Technician


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.